Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Stable/Urgent] Fix socketio server being able to be accessed by any website #501

Merged
merged 1 commit into from Sep 28, 2020
Merged

[Stable/Urgent] Fix socketio server being able to be accessed by any website #501

merged 1 commit into from Sep 28, 2020

Conversation

CanadaHonk
Copy link
Contributor

(For the stable branch, for the PaaS branch see #500.)

Without this patch any website can get the Discord user information if the PreMiD desktop app is running, as it leaves the locally hosted socketio web server (port 3020) open to all origins.

This patch implements a fix which is a function that tests the origin on each socket connection, it checks if the origin is * as Chrome extensions appear with that origin (*) so it limits it to only Chrome extensions. There are most likely better fixes which would limit it to only the PreMiD extension and not all Chrome extensions but this is the best solution for now.

Please merge this (or make a similar fix) quickly as this is a serious problem as it allows any website to get the Discord user information of anyone currently running PreMiD.

It has been successfully tested on:

  • Chromium-based (Brave Nightly) - Linux (Arch)
  • Firefox (Nightly) - Linux (Arch)
  • Chrome - Windows
  • Firefox - Windows

Without fix (user info is easily got):
image
With fix (it is blocked): image

@CanadaHonk CanadaHonk requested a review from Timeraa as a code owner July 3, 2020 11:55
@Timeraa
Copy link
Member

Timeraa commented Aug 25, 2020

Closing this as we're working on a new app which will incorporate these security concerns.

@Timeraa Timeraa closed this Aug 25, 2020
@CanadaHonk
Copy link
Contributor Author

CanadaHonk commented Sep 15, 2020

This is now a public CVE.
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24928
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-24928

A web page showcasing the vulnerability and what it can do is also now public: https://cve-2020-24928.netlify.app.

@Fruxh Fruxh reopened this Sep 28, 2020
@Fruxh Fruxh merged commit a916982 into PreMiD:stable Sep 28, 2020
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants